Skip to main content

Red Hat CVE-2026-39395

| EUVDEUVD-2026-19919 MEDIUM
Improper Check for Unusual or Exceptional Conditions (CWE-754)
2026-04-07 GitHub_M GHSA-w6c6-c85g-mmv6
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
SUSE
MEDIUM
qualitative
Red Hat
6.5 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch released
Apr 08, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 07, 2026 - 20:16 euvd
EUVD-2026-19919
Analysis Generated
Apr 07, 2026 - 20:16 vuln.today
CVE Published
Apr 07, 2026 - 20:06 nvd
MEDIUM 4.3

DescriptionGitHub Advisory

Cosign provides code signing and transparency for containers and binaries. Prior to 3.0.6 and 2.6.3, cosign verify-blob-attestation may erroneously report a "Verified OK" result for attestations with malformed payloads or mismatched predicate types. For old-format bundles and detached signatures, this was due to a logic flaw in the error handling of the predicate type validation. For new-format bundles, the predicate type validation was bypassed completely. This vulnerability is fixed in 3.0.6 and 2.6.3.

AnalysisAI

Cosign verify-blob-attestation incorrectly validates attestation signatures and predicate types in versions before 3.0.6 and 2.6.3, allowing remote attackers to bypass integrity verification by submitting malformed attestations or mismatched predicate types that are falsely reported as verified. The vulnerability affects container and binary code signing workflows where attestation integrity is critical for supply chain security.

Technical ContextAI

Cosign is a code signing and transparency tool for containers and binaries built on the Sigstore infrastructure. The vulnerability resides in the verify-blob-attestation function, which validates that attestations meet expected schema and predicate type requirements. The root cause (CWE-754: Improper Check for Unusual or Exceptional Conditions) manifests as a logic flaw in error handling during predicate type validation for old-format bundles and detached signatures, and complete bypass of validation for new-format bundles. This allows attestations with invalid payloads or incorrect predicate types to pass verification checks when they should be rejected, undermining the cryptographic guarantees that supply chain tools depend on.

RemediationAI

Vendor-released patch: Update to Cosign 3.0.6 (for 3.x users) or 2.6.3 (for 2.x users). Both versions restore proper predicate type validation for old-format bundles, detached signatures, and new-format bundles. Users should prioritize upgrading to the latest stable release in their current branch. Consult the official GitHub advisory at https://github.com/sigstore/cosign/security/advisories/GHSA-w6c6-c85g-mmv6 for detailed upgrade instructions and version compatibility notes. Until patched, organizations should manually review and audit attestations used in critical supply chain decisions.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed
SUSE Linux Enterprise Server 16.1 Fixed

Share

CVE-2026-39395 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy